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METHOD AND DEVICE OF MAIOTXJLATING DATA IN EH^TE FIELDS 



FIELD OF THE INVENTION 

[001] The present invention relates to computations in finite fields, and to conversion 
between representations of finite fields. 

BACKGROUND 

[002] Advanced Encryption Standard (AES) provides a Rijndael Block Cipher 
Algorithm C*the Rijndael algorithm"), which includes a ByteSub bit level operation on 
an input byte, x. The ByteSub operation includes an encryption mode and a decryption 
mode. The encryption mode includes a combination of an inverse operation and an 
afifine transformation^ e.g., x is converted into Ax'^+by wherein A and b are 
predetermined parameters. The decryption mode includes a combination of an afBne 
transformation followed by an inverse operation, e.g., x is transformed into (A'^ (x-^b)/^ . 
According to the AES, the inverse operation is preformed over a Galois Field, GF(2*'). 
The field is represented by a polynomial form, using a reduction polynomial, 

[003] There are other known block cipher algorithms, which implement an inversion 
operation in the GF(2^. These algorithms include, for example, a Camelia cipher 
algorithm described by K. Aoki et al in "Specification of Ccanellia - a 128-bit Block 
Cipher", httpr//info^islritt.cojp/camellia/^ and a Zodiac cipher algorithm described by C. 
H, Lee in ''Zodiac: Block Cipher Proposal", 

http://www.safedigmxom/prodiictpds/download/Safedigm_Zodiac.pdf 

[004] One mettiod of the AES implements two loolaq> tables, also referred to as 
S-boxes, each iacluding 256 values corresponding to 2S6 possible x values when using 
the GF(2^). An encryption S-box includes 256 values of ^''+6 and a deczyption S-box 
includes 256 values of (A'^(x+b)X^. Another method of the AES implements one table, 
denoted F(x)y including 256 values of the inverse of x, namely, x'^. This method requires 
storage of one table containing 256 values, as well as additional drcuitry for 
implementing the encrypt/deoiypt afOne transformations, i.e. by multiplying x by -4 or 
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^-^ and adding b. Thus, ihe overall conventional implementation of flie AES S-box with 
flie set of computotions defined by flie Rijndael algorittun is not sufficiMitly efficient 
[005] Designing a more efBdMit S-box may significantiy reduce fee complradty of 
AES implementations, smce a conventional hardware implementation of AES requires 

5 several, e.g. sixtesi, S-boxes. 

[006] In V. Rijmen, "Efficient inqtlementation qf the Rijndael S-box", 
http://wvw.esatJculeuven.acW'-iijmeQ/rijndaeVsbox.pdf Cfhe Rijmen reference"), it is 
suggested that using a set of computations based on a rqwresentation of GF(2') as an 
ejqjansion of GF(2*) may improve the efficiency of an AES S-box. However, die 

1 0 Bdjmen reference does not disclose, suggest or imply how such a representation might be 
achieved. Furtheraiore, die Rijmen reference concludes that even if an AES S-box based 
on an expanded GF(2*) could be implemented, sudi implementation may have no 
practical use if a good VHDL compiler is used. Therefore, the Rijmen reference teaches 
away fiom seeking ways to hnplemtait an AES S-box based on an ejqianded GF(2*) . 
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SUMMARY OF TBDE INVENTION 

[007] Embodiments of the invendon provide a method and a device for efBciraitly 
manipulating data provided in a GF(2^ represmtation, e.g., for implementing at least 
some AES CTicryption and/or decryption operations on data provided in a GF(2 ) 
representation, by converting the GF(2^ data into a GF((2^^) representation and 
performing GF{2^ equivalent operations in tiie GF((2^^) rq)resentation. 

[008] Exemplary embodiments of the invention may solve a fundamental problem of 
implementing an AES S-box based on an e?q)anded GF(2^), for example, an inherent 
problem of efficiently translating the data from a GF(2^) representation into a GF((2^)^) 
representation, such that the overall procedure of the translation and the operations is 
more efiBcient than tiie conventional implementation- 

[009] The method of manipulating data, in accordance vdth embodiments of the 
invention, may include converting the GF(2^ data into corresponding data in a 
GF((2V) lepresentatiorL This may be achieved by applying to the GF(2^ data a 
conversion operator related to a pre-determined representation-transformation from the 
GFC2^) representation to the GF((2^^) representation. For example, the conversion 
operator may include a combination of a linear transformation and the predetermined 
representation-transformation. In some embodiments the conversion operator may only 
be related to the lepresentation-tiansformation. The conversion operator may include a 
representation-transformation matrix corresponding to tlie desired transformation. The 
representation-transformation matrix may be selected from a set of possible 
representation-transformation matrices according to desired criteria, e.g. minimum area 
for circuit implementation- Bach matrix of the set of matrices may be defibaed by two 
field generators, i.e., a root of an irreducible poljoiomial over the GF(2^ r^resentation, 
and a field generator of the GF((2*)^) representation. The GF(C2'f ) representation may 
be defined by an irreducible reduction polynomial over GF(2'^) and an extension 
polynomial over GF(2*). e.g., an irreducible polynomial of a second degree over GF(2''). 

[0010] According to some embodiments, the method may also include 

performing on the GF((2*)^) data at least one operation equivalent to at least one desired 
operation in the GF(2^ representation, to provide processed GF((2*)^) data. The method 
may also include converting the processed GF((2*)^) data back into the GFC2^) 
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representation. This may be achieved by applying to the processed GF((2^^) data a 
de-conversion operator related to the pre-detennined representation-transfoimatiorL For 
example, the de-conversion operator may include applying a combination of a linear 
transformation and an inverse of the predetermined representation-transfomMtion, 

5 [0011] According to some embodiments of flie invention there is provided a 
method for deteamining the representation-transfoimation matrix. The method may 
include synthesizing, e.g., by constructing and/or simulating, a plurality of circuits, each 
corresponding to a representation-tcansformation matrix fiom tiie GFC2^ representation 
into die GF((2*^^) representation, and/or to an inverse of the 

10 representation-transfonnation matrix. The method may also include selecting one of the 
matrices based on predetermined optimized criteria, e.g. minimal circuit area, 

[0012] According to some ex^plary embodiments of tiie present invention, a 
method, a system and a device for performing at least some AES S-box encryption 
and/or decryption operations are provided. According to some exemplary embodiments 

15 of the present invention, GF(2*) input data to be encaypted and/or decrypted by an AES 
device may be converted from a GF(2^) representation into data in a GF((2'*)^) 
representation. According to some embodiments, the conversion may include a linear 
transformation and/or a predetermined representation-transfonnation from the GF(2^) 
representation into the GF((2Y) representation. GF(2^) operations, equivalent to the 

20 GF(2^) AES enciyption/deciyption operations may be performed on the GF((2V) data 
to provide processed GF((2^f ) data. The processed GF((2V) data may then be 
converted back into the GF(2^) representationu According to these embodiments the 
hardware implementation of the overall process, e.g., the process of converting the data 
into the GFC(2V) representation, performing the equivalent encryption/decryption 

25 operations and converting the processed data back into tlie GF(2^) rqpresentation, may 
be significandy more efficient than in a conventional hardware implementation of the 
AES S-box, 

[0013] According to further exemplary embodiments of the present invention, 

there is provided a secure memory storage device compliant with an AES S-box. The 
30 storage device may include an input conversion module adapted to convert GF(2^) data 
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to be stored into a GFCCZ"*)^) representation- The input conversion module may include 
deciyption conversion ciicuitiy and encryption conversion circuitry. The storage device 
may further include an operations-module adapted to perform operations on the 
GF((2V) data and provide processed GF((2'^)^) data. The operations to be preformed by 
the operations module may be equivalent to the GF(2^) AES encryption/decryption 
operations. The storage device may further include an output de-conversion module 
adapted to convert the processed GF((2'*)^) data back into the GF(2*) representation. The 
output conversion module may include deayption de-conversion circuitry and 
encryption de-conversion circuitry. 



BRIEF DESCRIPTION OF THE DRAWINGS 

[0014] The subject matter regarded as the invention is particularly pointed out 

and distinctly claimed in the concluding portion of the specification. The invention, 
however, both as to organization and method of operation, together with objects, 
features and advantages thereof, may best be understood by reference to the following 
detailed description when read with the accompanied drawings in which: 

[0015] Fig. 1 is a flow chart illustration of a method of manipulating data, in 

accordance with embodiments of the invention; 

[001 6] FIG. 2 is a schematic illustration of a circuit implementing an AES S-box 
for encryption and/or decryption of data, according to some exemplary embodiments of 
the present invention; and 

[0017] Fig. 3 is a schematic illustration of an operation module, according to 
further exemplary embodiments of die invention. 

[0018] It will be appreciated that for simplicity and clarity of illustratioiL, 

elements shown in the figures have not necessarily been dmwn accurately or to scale. 
For example, flie dimensions of some of the elements may be exaggerated relative to 
other elements for clarity or several physical components included in one element 
Further, where considered appropriate, reference nimierals may be repeated among the 
figures to indicate corresponding or analogous elements. It will be appreciated that these 
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figures present examples of embodiments of the present invention and are not inteaided 
to limit the scope of ibs invention. 
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DETAILED DESCRIPTION OF THE PRESENT INVENTION 

[0019] In the following detailed description, numerous specific details are set 

forth in order to provide a thorough understanding of the invention. However, it will be 
understood by titiose of ordinary skill in the art tiiat the present invmtion may be 
5 practiced without these specific details. In other instances, well-lcnown methods, 
procedures, and components have not been described in detail so as not to obscure the 
present invention. 

[0020] In the following detailed description, the notation GF(2^) refers to a 
representation of a Galois Field {GiF) of order 2^ as an extension field of GF(2) 
10 consisting a plurality of polynomials over GF(2) modulo p(t), wherein p(t) is an 
ineducible polynomial of the degree 2s over GF(2), A polynomial may be represented in 
the GF(^') representation, by a string of 2s bits. An element, x, m the GF(2^) 
representation may be defined by a 2s-digit bmary number x='fx^,2X2s^2"XjX(J, wherein 
X/ is the coefficient of / in a corresponding polynomial, e.g. 

[002 1 ] The notation GF((2^f) refers to a representation of a GF of order 2^ as an 
extension field of GF(^) consisting of a plurality of polynomials over GF(2^) modulo 
r(t)^ wherein r(t) is an irreducible polynomial of a second degree over GF(2'); i.e., 
r(t)^e^-^at+fi, whCTein a and p are elements of GF(2^). The GF(2') is represented as an 

20 extension field of GF(2) consisting of a plurality of polynomials over GF(2) modulo 
q(t), wherein q(t) is an irreducible polynomial of the degree s over QF(2). An element, 
in tiie GF((^f) representation may be defined by a 2s-digit binary number 
z-[z2s'i^2x'2'>zi^(J representing a linear polynomial z<m>f+j^<>, wherein 
z<m>'=fz2s^jSs*jzJ ™d z<i>^fzs,j.-..zjZoJ are elements of GF(2*; represented by 

25 polynomials modulo q(t). 

[0022] Reference is made to Fig. 1, which schematically illustrates a flow chart 

of a method of manipulating data, in accordance with embodiments of the invention. 

[0023] As indicated at block 102, the method may include converting data in a 

GF(^) representation mto corresponding data in a GF((Tf) representation, which 
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coiresponds to an extension of GF(2^h by applying to the GF(2^) data a conversion 
opeiatox, as described in detail below. 

[0024] As indicated at block 104, the method may also include perfonning on 
the GF((^f) data at least one operation equivalent to at least one desired operation in 
the GF(2^') representation to provide processed GF((rf) data, as described in detail 
bdow. 

[0025] As indicated in block 106, the method may further include converting the 
processed GF((^f) data back into the GF(2^) representation, as described in detail 
below. 

[0026] According to some raibodimCTts of the invention, the GF(f^) data may 
include two or more data blocks. According to these embodiments, the mefliod may be 
implemented to perform on the two or more data blocks at least one operation in the 
GF((i'f) representation equivalent to at least one desired operation in the GF(2^) 
representation. 

[0027] According to some exemplary embodiments, the method may be used as 

part of encrypting and/or decrypting of input data, for example, by performing at least 
some AES S-box encryption/decryption operations, as described below. 
[0028] Although the scope of the pnresent invention is not limited in this respect, 
for clarity, as part of the description of some embodhnents of ttie present invention, 
reference may be made to a device and/or a method of encrypting data. Further 
embodiments of the present invention may be described with reference to a device 
and/or a me&od of decrypting data. However, it would be obvious to those with ordinary 
sldlls in the art how to modify the methods and/or devices, described below, for botii 
encryption and decryption or the combmation of thereof, unless spedficafly stated 
otherwise. 

[0029] In some exemplary embodiments of the mvention, s equals four. These 
embodiments are useful for converting data in a GF(f) representation into 
corresponding data in a GF((2*f) representation, 

[0030] Although the scope of the present invention is not limited in this respect, 

for clarity, the description of some exemplary embodiments of the present mvaition 
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relates to methods and/or devices wherein s equals four, i^e., for converting data in a 
GF(^) representation into a GF((2^f) representation. However, it would be obvious to 
those with ordinary skills in the art how to accordingly anodidfy the methods and/or 
devices described below for any other suitable value of s. According to some 
embodiments of the invention, for some values of the conversion from flie GF(2^) 
representation into the GFCCZ")^) representation may be performed in stages or 
recursively, e.g., by applying one or more intermediate conversion operators, as 
described below. 

[0031] According to some exemplary embodiments of the invention, the method 

may be used for performing at least some AES S-box encryption operations wherein s 
equals four. In these embodiments, the input data to be encrypted may be converted from 
an extended GF representation, e.g., C?F(2*) . mto a new representation, e.&, GF((2Y% 
corresponding to an extension of GF(2^), as described below. According to these 
exemplary embodiments, GF{^^^ operations, which may be effectively equivalent to 
corresponding AES operations in GF(2*), may be performed on the GF((2Y) data, 
significantly reducing the complexity level of the calculations. The processed data may 
then be converted back into the AES CrF(2*) representation, as described below. 

[0032] Although some disciissions of some embodiments of the present 

invention may be directed towards the implementation of conversion operators for 
convertmg input data, jc, from the GF(2^) representation into the QV^f) 
representation, e.g., usmg specific electrical circuits, it should be understood that the 
present mvention is not Umited m this respect Rather, as part of some embodiments of 
the present mvention, the conversion operator and otlier operations and processes 
desCTibed below may also be raibodied m various other implementations, including 
implementations known m the present or yet to be devised in the future, for example, 
any suitable hardware and/or software implementations. 

[0033] As part of some embodiments of tiie present invention, the method may 

be implemented in a variety of combinations and adaptations. According to an 
exemplary embodiment of the present invention, an encoTtion block to perform 
encryption, and/or a decryption block to perform decryption, may be implemented m 
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embedded electrical circmtry, e,g,, of the type that may be used in a smaxtcard. The 
conversion operator that may be used for converting the data to and from the AES 
GF(2®) representation to and from the GFC(2Y) representation may be 
pre-programmed, e.g., into a smart card. Other configurations may be used additionally 
or alternatively. 

[0034] According to some ©cemplary embodiments of the invention, the 
conversion opemtor may be related to a representation-transformation from the GF(2^) 
representation into tiie GF((2')^) representation. The conversion operator may be related 
to a representation-transformation matrix corresponding to the 
representation-transformation. The representation-transformation matrix may be selected 
from a set of possible representation-transformation matrices according to desned 
criteria, e.g. m^mrnnm area for circuit implementation, as described below. Each matrix 
of the set of matrices may be defined by a root of an irreducible polynomial over the 
GF(2^), e.g,, GF(2*), and by a generator of the field extension of the GF{(2^^) , e.g., 
GF((2 V) representation, as described below. 

[0035] Polynomial representations of GF(2^) over GF(2) may be defined by 

each of three irreducible reduction polynomials over GF(2^ ) , e,g., 1 + r + f ^ 1 + + 

[0036] According to embodiments of the invention, field extensions of one or 

more of the polynomial representations of GF(2^ ) in GF(2') may be computed usmg 
irreducible extension polynomials, e.g., polynomials of the type +ar + ^ , wherein fi 
and a may be elements of GF(2'^, such that + at +J3 is irreducible over GF(2'*), as 
described below. 

[0037] According to exemplary embodiments of the invention, there may be 
fifteen different p values and 8 different a values providing 120 possible irreducible 
extension polynomials of the form f^+ar + /?. The three different reduction 
polynomials and tiie 120 irreducible extension polynomials result in 360 different 
GF((2'*)^) representations of GF(2*) as an ^tension of GF(2). 
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[0038] According to some exemplary embodiments of the invention, the number 

of irreducible extension polynomials of the type t'-^ai+fi may be reduced. This 
reduction may be accomplished, for example, usmg only irreducible extension 
polynomials of the type t^^at-^JS for which a: =^1, as described below. Thus, a total 
number of relevant OF((2V) representations may be reduced from 360 to 24. However, 
it should be noted that the present invention is not limited in this respect Moreover, 
although the description of some embodiments of the present invention loay be restricted 
to the context of using inreducible extension polynomials of the type t^-hat+fi wherein 
a it would be apparent to those of ordinary skiU in the art how to adapt these 
methods using any extension polynomials of the type + ctf + /? , 

[0039] Thus, as part of some exemplary embodiments of the present invention, a 

total of twenty-four GF((2V) representations may be computed for converting the data 
from the standard AES representation into the GF((2^)^) representation- Each of the 
twenty-'four GF((2^)^) representations may be defined by one of the reduction 
polynomials over GF(2^) and one of the extension polynomials, e.g., of the type 
+ctf+>ff, wherein a = l. 

[0040] Since, as is known in the art, any two finite fields of the same size may be 

isomorphic, an isomorphism may exist between two representations of GF(^), denoted 
Repj and Repz respectively, wherein n=2j. Each of the two representations may be a 
linear space of dimension n over GF(2), and each isomorphism may be a linear 
transformation between the representations. Thus, as pnrt of some embodiments of the 
present invention, an nxn binary representation-tiansformation matrix, M, may be 
computed for transforming, e.g. by matrix mxiltiplication, elements in Repj into 
corresponding elements in Rep2- Since the transfoiTnation between the two field 
representations is invertible, an inverse representation-transformation matrix, M"*, may 
exist for each representation-transformation. An ineducible polynomial, po, having n 
roots may represent Repj. Each root of po is a generator of the GF(2'^J and invariant 
under field isomorphism- Thus, there are n corresponding representation-transformation 
matrices for each field extension- A pair of corresponding generators of representations 
Repj and Rep2 may uniquely determine an isomorphism between Repj and Repz since a 
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mxaltiplicative groig> of the GF(y) is cyclic. Thus, for a generator, ru of Repu and a 
generator, r^, of Rep2^ the corresponding r^resentation-traosformation matrix, must 
satisfy Adrj^r2^ Since lite two field representations are isomorphic, and since rj and 
are generators of the GF(2''), the following equation system must be satisfied by Mfor 
anyA:(fc-i...2"): 

MinfHrif (1) 
wherein (rO*' denotes field generator n raised to the k-th power in representation Repf, to 
produce an element (n)^ in representation jRep/j and wherein field element (n)^ in 
representation Repj may be treated as a vector in a linear space of dimension n over 
GF(2), and may be multiplied by represeirtation'transformation matrix, M to provide 

[0041] Equation system 1 includes 2" linear equations, which may be solved to 
determine the representation-transfoimation matrix, M, corresponding to the pair of 
generators rj and rj. Equation system 1 may include redundant equations, which may be 
ignored in order to reduce the number of computations. For example, only the first n 
equations may be used to provide one representation-transformation matrix. Another 
representation-transformation matrix may be provided by a solution of Equation set 1 
using a different pair of generators n and ''2^ Thus, there may be 7i different equation 
systems corresponding to the n different generators in Rep2^ which are the image of r/, 
providing n different representation-transformation matrices fiom Repj to Rep2* 

[0042] la exemplary embodiments of the invention, each root of the irreducible 

polynomial ovct GF{2*), e.g.,p(t) ^^•^i^-^t^+t-^l, may be a generator of the GF(2^) 
field. Thus, eight possible representation-transformation matrices corresponding to the 
eight roots of the irreducible polynomial, respectively, may be computed for each field 
extension of GF(2*) . Therefore, according to these exemplary embodknents, there may 
be a set of 192 possible representation-transformation matiices, corresponding to the 24 
field extensions, wherein a = l* According to some embodiments of the pres^ 
invention, eacdli of the possible representation-transformation matrices may enable 
transformation fix)m the standard AES representation into a different GF((2V) 
representation of GF(2') corresponding to a different extension of GF(2^). 
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[0043] According to these exemplaiy embodiments, the input data, x, in the AES 

representation may be converted into the GF((2Y) representation by applying the 
representation-transforaialion, e.g., representation-transformation matrix M. An 
operation x > x'\ denoted T(xX in tiie GF((2'*f ) representation may be performed on the 
converted data, e,g., M x. The conversion to GF(2^), Ffx), may be provided by applying 
an inverse of the representation-transformation, e,g,, M^. Thus, according to exemplary 
embodiments of Ihe invention, F(x) and T(A4 x) may be provided by the following 
nonlinear equation: 

iJl(x) = Ji^' T{M x) (2) 
[0044] Equation 2 may be rewitten as follows: 

M T(x)^F(M x) (3) 
[0045] According to these embodiments, Equation 3 may have eight solutions, 

representing tiae eight possible isomorphisms between the two representations, e.g., 
between the AES GF(2^) representation and a corresponding GF((2'*)^) representation. 
An isomorphism between the two representations may be determined by choosing a 
generator in one representation to be mapped to a specific generator in the other 
representation, as described above. 

[0046] The following is an exemplary list of matrix strings corresponding to the 

192 (24 times 8) possible representation-transformation matrices in hexadecimal form, 
which may be computed as described above: 

Reduction polynomial: t^ + 1 + 1 

(a) Extension Polynomial: t^ + 1 + 8 

01 el 5c Oc af lb e3 85, 01 el 5c Oc ae fabf 89, 01 5c eO 50 a2 02 b8 db, 01 5c eO 50 a3 
5e 58 8b, 01 eO 5d bO f2 04 ad 6^ 01 eO 5d bO Q e4 fO df, 01 5d el ed 42 10 a7 92, 01 
5deled43 4d46 7f. 

(b) Extension Polynomial: ^ + 1+ 9 

01 el 5c Oc 12 4b Of d8, 01 el 5c Oc 13 aa 53 d4, 01 5c eO 50 le b2 bS 3a, 01 5c eO 50 If 
ee 55 6a, 01 eO 5d bO 4e 09 al 83. 01 eO 5d bO 4f e9 fc 33, 01 5d el ed fe Ic 16 72, 01 
5del edfiF41 f7 9f 
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(c) Extension Polynomial: 1? + 1 + 10 

01 el 5c Oc 43 46 Oe 39, 01 el 5c Oc 42 a7 52 35, 01 5c eO 50 ae bf 54 36, 01 5c eO 50 af 
e3 M 66, 01 eO 5d bO aS 58 fd d3, 01 eO 5d bO a2 b8 aO 63, 01 5d el ed f2 ad f6 01 
5d eledef0172f 

(d) Extension Polynomial: ^ + 1 + 1 1 

01 el 5c Oc fe 16 e2 64, 01 el 5c Oc £f f7 be 68, 01 5c eO 50 12 Of 59 d7, 01 5c eO 50 13 
53 b9 87, 01 eO 5d bO If 55 fl Si, 01 eO 5d bO le b5 ac 8f. 01 5d el ed 4e al 47 22, 01 
5d el ed4ffca6cf. 

(e) Extension Polynomial: 1? + 1 + 12 

01 el 5c0ca2 la 02 d9, 01 el 5c Oc a3 fb 5e d5, 01 5ce0 50f3 03 e43b,01 5ce0 50£2 
5f 04 6b, 01 eO 5db0 43 05 4d 32, 01 eO 5d bO 42 e5 10 82, 01 5d el ed ae 11 fit 73, 01 
5d el ed af 4c lb 9e. 
Cf) Extension Polynomial: 1? + 1 + 13 

01 el 5c Oc If 4a ee 84, 01 el 5c Oc le ab b2 88, 01 5c eO 50 4f b3 e9 da, 01 5c eO 50 4e 
ef 09 8a, 01 eO 5d bO S 08 41 de, 01 eO 5d bO fe e8 Ic 6e. 01 5d el ed 12 Id 4b 93, 01 
5del edl3 40aa7e. 

(g) Extension Polynomial: 1? + 1 + 14 

01 el 5c Oc 4e 47 esf 65, 01 el 5c Oc 4f a6 b3 69. 01 5c eO 50 ffbe 08 d6, 01 5c eO 50 fe 
e2 e8 86, 01 eO 5d bO 12 59 Id 8e, 01 eO 5d bO 13 b9 40 3e, 01 5d el ed le ac ab 23, 01 
5d el ed If fl 4a ce. 

Ch) Extension Polynonaial: 1? + 1 + 1 5 

01 el 5c Oc f3 17 03 3 8, 01 el 5c Oc £2 f6 5f 34, 01 5c eO 50 43 Oe 05 37, 01 5c eO 50 42 
52 eS 67, 01 eO 5d bO ae 54 1 1 62, 01 eO 5d bO af b4 4c d2, 01 5d el ed a2 aO la c3, 01 
5d el ed a3 fd fb 2e. 

Reduction polynomial: t^ + 1' + 1 

(a) Extension Polynomial: 1? + 1 + 2 
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01 bl ec Oc 4f 7c 80 69, 01 bl ec Oc 4e cd 6c 65, 01 ec Od 50 S 60 97 d6, 01 ec Od 50 fe 
8c 9a 86, 01 Od 51 bO 13 c7 94 3e, 01 Od 51 bO 12 ca c5 8e, 01 51 bl ed le 24 91 23, 01 
51 bl ed If 75 20 ce. 

(b) Extension Polyncnzual: ^ +t+ 3 

01 bl ec Oo f3 2c dc 38, 01 bl ec Oc £2 9d 30 34, 01 ec Od 50 43 3c 7a 37, 01 ec Od 50 42 
dO 77 67, 01 Od 51 bO ae 27 98 62, 01 Od 51 bO af 2a c9 d2, 01 51 bl ed a3 28 70 2e, 01 
5lbl eda2 79cl c3, 

(c) Extension PolyBomial: + 1 + 4 

01 bl ec Oc ff 21 60 68, 01 bl ec Oc fe 90 8c 64, 01 ec Od 50 13 6d c7 87, 01 ec Od 50 12 
81 ca d7, 01 Od 51 bO le 96 24 Sf, 01 Od 51 bO If 9b 75 3f, 01 51 bl ed 4f 95 7c c£ 01 
51 bled4ec4cd22. 

(d) acteaosion Polynomial: 1? + 1 + 5 

01 bl ec Oc 43 71 3c 39, 01 bl ec Oc 42 cO dO 35, 01 ec Od 50 af 31 2a 66, 01 eo Od 50 
ae dd27 36, 01 Od 51 bO a3 76 28 d3, 01 Od 51 bO a2 7b 79 63, 01 51 bl ed f2 99 9d c2, 
01 51 bled£3c8 2c2f. 

(e) Extension Poljoiomial: 1? + 1 + 8 

01 bl ec Oc af 7d 31 85, 01 bl ec Oc ae ec dd 89, 01 ec Od 50 a2 61 7b db, 01 ec 0d50 a3 
8d 76 8b, 01 Od 51 bO £2 c6 99 6f, 01 Od 51 bO f3 cb c8 df, 01 51 bl ed 42 25 cO 92, 01 
51bled43 74 71 7f. 

(f) Extension Polynomial; ^ + 1 + 9 

01 bl ec Oc 13 2d 6d d4, 01 bl ec Oc 12 9c 81 dS, 01 ec Od 50 le 3d 96 3a, 01 ec Od 50 
If dl 9b 6a, 01 Od 51 bO 4f 26 95 33, 01 Od 51 bO 4e 2b c4 S3, 01 51 bl ed ff 29 21 9f, 
01 51bl edfe78 90 72. 

(g) Extension Polynomial: 1? + 1 + 14 

01 bl ec Oc If 20 dl 84, 01 bl ec Oc le 91 3d 88, 01 ec Od 50 4e 6c 2b 8a, 01 ec Od 50 4f 
80 26 da, 01 Od 51 bO ff 97 29 de, 01 Od 51 bO fe 9a 78 6e, 01 51 bl ed 13 94 2d 7e, 01 
51bl edl2c5 9c93. 

(h) Extension Polynomial: t* + 1 + 15 
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01 bl ec Oc a3 70 8d d5, 01 bl ec Oc a2 cl 61 d9, 01 ec Od 50 f2 30 c6 6b, 01 ec Od 50 f3 
dc cb 3b, 01 Od 51 bO 42 77 25 82, 01 Od 51 bO 43 7a 74 32. 01 51 bl ed ae 98 cc 73, 01 
51 bl edaf c9 7d9e. 

Reduction polynomial: t^ + l^ + t^ + t+ l 

5 (a) Extension Polynomial: 1? + t+ 2 

01 50 bO Oc a3 8b d3 d5, 01 50b0 Oc a2 db 63 d9, 01 bO ed 50 f2 6f c2 6b, 01 bO ed 50 
G df 2f 3b, 01 ed Oc bO 43 7f 39 32, 01 ed Oc bO 42 92 35 82, 01 Oc 50 ed af 85 66 9e, 
01 Oc 50 ed ae 89 36 73. 

(b) Extension Polynomial: 1? + 1+ 3 

10 01 50b0 0cle3a8f88,01 50b0 Oc If 6a3f 84, 01 bO ed 50 4f 33 cf da, 01 bO ed 50 4e 
83 22 8a, 01 ed Oc bO fe 72 64 6e, 01 ed Oc bO £f 9f 68 de, 01 Oc 50 ed 13 d4 87 7e, 01 Oc 
50 ed 12 d8 d7 93. 

(c) Extension Polynomial: 1? + 1 + 4 

01 50 bO Oc G 3b df 38, 01 50 bO Oc £2 6b 6f 34, 01 bO ed 50 43 32 7f 37, 01 bO ed 50 
15 42 82 92 67, 01 ed Oc bO ae 73 89 62, 01 ed Oc bO af 9e 85 d2, 01 Oc 50 ed a3 dS 8b 2e, 
01 Oc 50 ed a2 d9 db c3. 

(d) Extaision Polynomial: ^ + 1 + 5 

01 50 bO Oc 4e 8a 83 65, 01 50 bO Oc 4f da 33 69, 01 bO ed 50 fe 6e 72 86, 01 bO ed 50 ff 
de 9f d6, 01 ed Oc bO 13 7e d4 3e, 01 ed Oc bO 12 93 dS 8e, 01 Oc 50 ed If 84 6a ce, 01 
20 0c50edle88 3a23. 

(e) Extension Polynomial: + 1 + 8 

01 50 bO Oc ae 36 62 89, 01 50 bO Oc af 66 d2 85, 01 bO ed 50 a2 63 c3 db, 01 bO ed 50 
a3 d3 2e 8b, 01 ed OcbO f3 2f 38 d^ 01 ed Oc bO f2 c2 34 6f, 01 Oc 50 ed42 35 67 92. 01 
Oc 50ed43 39 37 7f. 

25 (f) Extension Polynomial: 1? + 1 + 9 

01 50 bO Oc 13 87 3e d4, 01 50 bO Oc 12 d7 Se d8, 01 bO ed 50 If 3f ce 6a, 01 bO ed 50 
le 8f 23 3a, 01 ed Oc bO 4e 22 65 83, 01 ed Oc bO 4f cf 69 33, 01 Oc 50 ed fe 64 86 72, 
01 Oc 50 ed fr68 d6 9f: 
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(g) Extension Polynomdal: + 1 + 14 

01 50 bO Oc fe 86 6e 64, 01 50 bO Oc ff d6 de 68, 01 bO ed 50 13 3e 7e 87, 01 bO ed 50 
12 8e 93 d7, 01 ed Oc bO le 23 88 8f. 01 ed Oc bO If ce 84 3f, 01 Oc 50 ed 4e 65 8a 22, 
01 Oc 50ed4f 69dac£ 

5 Qol) Extension Polynomial: 1? + 1 + 15 

01 50 bO Oc 43 37 32 39, 01 50 bO Oc 42 67 82 35, 01 bO ed 50 ae 62 73 36, 01 bO ed 50 
af d2 9e 66, 01 ed Oc bO a3 2e d5 d3, 01 ed Oc bO a2 c3 d9 63, 01 Oc 50 ed £2 34 6b c2, 
01 0c50edf3 38 3b2£ 

[0047] The above list is organized such that each groiip of 8 matrix string values 

10 is associated with one of the 8 extension polynomials of tlie type ^cxt+p and one of 
file three irreducible reduction polynomials over GF(2'*), as described above. The 
matrix string values are listed m the form of 8 pairs of values in hexadecimal form, 
representmg an g x 8 binary matrix In order to locate the values cozresponding to the 
i-th Mrepresentation-transfonnation matrix in the list, wherein 1 ^ 2 < 192 , the following 
15 set of equations may be solved: 

/-"I = eix64+i21 (4) 
Jil = e2x8+i?2 
wherein: 

0<i21<64 (5) 

20 0<it2<8 

[0048] Equation set 4 wifli the boundary conditions of Equation set 5 may yield a 
set of the values Ql, Q2, Rl, R2 corresponding to a desired Uth 
representation-transformation matrix. The location of a desired 
represCTtation-transformation matrix, e.g. the i-th matrix in the above list may be 
25 defined by the Ql+1 reduction polynomial, the g2+i extension polyuonual^ and the 
it2+i matrix string. The matrix string values may be conveited into the transformation 
matrix representation, by separating the matrix stiing into pairs of numbers in 
hexadecimal form. Each column of the transfomiation matrix may then be represented 
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using fhe binary representation of a corresponding hexadecimal pair, e.g., using ei^t 
binary digits. 

[0049] Some embodiments of the present invention include an AES compatible 

S-box. The AES compatible S-box may be configured to perform AES S-box equivalent 
operations, e.g., encryption and or decryption operations, over the GF(C2^)^) 
representation- The AES con^atible S-box may include, for example, conversion 
circuitry mabling the conversion of data firom the standard AES S-box based 
representation into the GF((2^^) representation, as described above. The AES 
compatible S-box may also include an operations module, which may include operation 
circuitry and/or software to process the converted data, e.g. to perform AES equivalent 
operations on the converted data. The AES compatible S-box may also include 
de-conversion circuitry to convert the processed data back into the AES representatioiL 

[0050] A conventional AES S-box may perform afSne transformations according 
to the foUowiug equations: 

sbox[x]^A xiTx] ® b (6) 

sbox^[x]-FW^ X (x e 6)] (7) 

wherein A and b are AES S-box parameter matrices, as is known in the art 

[0051] Thus, according to embodiments of the invention, substituting Equation 3 

in Equations 6 and 7, re^ectively, may yield the following equations to convert x into 
the GF((2^^) representation, perform operations in the GF((2^)^) representation, and 
convert the resulting data back into correspondiug data in the AES representation: 

sbox[x]^AM>^ t(m^ X x] ® ft (8) 

sbox^[x] --MT\{AM)'^ x (x © 6)] (9) 

[0052] In accordance with some embodiments of the present invention, tlie 
conversion circuitry or software may include chcuitry implementing the 
representation-transformation matrix M According to some of these embodiments, the 
circuitry or software implementing the representation-transformation matrix M may be 
combined with the circuitiy or software implementing a linear transformation, for 
example, AES S-Box parametCTS, e.g., A. According to ftirther embodiments of the 
invention, the conversion circuitry or software may include four multiplication modules, 
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e,g., as desraibed below, for multiplication by AM,M'^ ^andCAM"^) y respectively. 
Thus, the conversion circuitry may consist of a combination of applying a linear 
transformation and the predetermined representation-transformatiorL For example the 
convCTsion circxiitry may implement the addition of AES S-box parameter &, e.g. by a 
XOR circuit, to provide the sum x+&, which may further be multiplied by an inverse of 
AM. The conversion circuitry may implement other combinations of a linear 
transformation and the representation-transformation matrix^ e.g., the specific 
implementations described herein. Tbe use of such operation modules may enhance the 
efficiency of llie conversion circuitry. 

[0053] A hardware implementation of matdx multiplication may include any 

hardware implementation of matrix multiplication, as is known in the art. For example, 
values yi of a block y dejfined by y=Dx, wherein z=i ...5 and wherein D is a fixed 8x8 

binary matrix, may be comptrted using the following equation: 

(6) 

y^-l^j.,^u^j (10) 

[0054] Thus, values of y may be computed using Equation 10, This may be 
adbdeved by determining which of the elements of row Dfj are nonzero and performing a 
XOR operation of the corresponding values of xj. 

[0055] Accordiag to exemplary embodiments of the invention, operations, e.g. 
inverse, adding, and/or multiplication operations, equivalent to AES operations may be 
defined in the new representation, as described below. 

[0056] An element x of a GF(2^) may be defined by an ei^t-digit binary number 
x-fx^^^4X3iXfiCjX(J, and an element z of a GF(2^ may be defined by a four-digit binary 

[0057] As is known in the art, GF(2^ may have a polynomial representation 
defined by a reduction polynomial over GF(2), e.g., z='[z3Z2ZjZoJ may be represented by 
the polynomial Z(7+z;f+z2^+^5^- Multiplication of elements in the GF may be defined by 
multiplying the polynomials representing the elements and reducing the result modulo 
the reduction polynomial. In the following description, an inverse op^Htion x'^ of x in 
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Ibe AES GF(2^) inay be deaoted F=^F(x), and an inverse opaation of z in the new 
representation may be denoted T=T(z). 

[0058] According to embodiments of the invention, a bit octet, 
z^[z7ZgzsZ4Z3Z2Z'ZQj, of GF(2^) may be analogous to a linear polynomial z<„t>t'^z<[>, 
wherein z<^-[z7Z^5Z4j and z<t>=[z3Z2ZjzoJ are elements of GF(2'*). Thus, the new 
representation may include elements z<nt> and z<> ofGF(2'*). 

[0059] As part of some embodiments of the present invention, multiplication and 
addition operations in the new representation may be defined in terms of operations on 
GF(2^ ) . Provided below is one possible definition of multiplication and addition in the 
new representation in terms of operations over GF(2^ ) . It will be appreciated that oflier 
definitions may also be used as part of some embodiments of tiie present invention. 

[0060] Addition and subtcaction of two elements, e,g., J e GF(2*) , in the new 
representation may be defined as a bitwise XOR of the two elements, as is blown in the 
art The product of the two elements, a and d, may be defined as a polynomial product 
(a^t + a^^) X (d^t + d^^)mod(t^ + ctf -f /?) , wherein multiplication and addition of the 
polynomial coefficients may be defined by operations over GF(2^) using a given 
representation. Thus, the product of elements a and d may be calculated using the 
foUowiug equation: 

wherein: 

(o^>d^ - o<«^d^a + a^d^^) s s [r^r^rsr^] ^^^^ 

[0061] Thus, the product of elements a and <i in the AES GF{2^) may be 
defined as r^lr^r^r^r^rj-^r^r^l • 

[0062] Determining an inverse x"'== {c^t + c^^) of data element x= (a^r + a^^), 
may require (^<«,>^ + ^</>) solving the following set of equations: 
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Ox + 1 = (c^t + c^) X (a^t + = 

Ox+l = (c^/ + c^)x(fl^/ +a^)mod(/* +ca+fi) = (13) 

[0063] Equation set 13 may be translated into the following system of liner 
equations over GF(2) : 

[0064] Thus, in order to calculate an inverse x'^ of data element x, the values of 

C<3n> and C</> may be calculated, as described above> 

[0065] According to embodiments of the invention, a direct computation of 
Equation system 14 may require two square computations, e.g., c^<ni> and a^</>, five 
multiplication computations, one inversion and three additions, all taken over GF{2^). 
However, as part of some embodiments of the present invention, the number of these 
computations may be reduced, as explained below. 

[0066] According to embodimmts of the-invention, additions over GF(2^) may 
be implemented as XOR circuits, as is known in the art According to other 
embodiments of the invention, the multiplication over GF(2^) may be perfomied more 
efBcieady by definiag GF{2^) multipliers and selecting the appropriate multiplier in 
each case, as explained below. 

[0067] According to these exemplary embodiments, a multiplication a xrf = /bj, 
ciz flL QqI X [ds, dz du do] over GF(2'' ), of two elements, e.g., a = /a^ ^i* and h 
" [dh dz dj, doJ, of GF(2^), may be defined as a sequence of bitwise operations, e-g., 
additions (XOR) and multiplications (AND), for a given reduction polynomial, e.g., as 
described above. Thus, the solutions of the multiplication of two elements may be as 
follows: 

ReduCtior pnlynnTnlfll : t"^ 4- 1 4- 1 

[a3,a2,ai,ao] * [d3,d2,di,do] = 
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[aid24^d3+a3do+a2dj+aod3,a2d3-l^d2^^d3+^^ 
aid34ti2a3+aodi+a2d2+a2d3+aido+a3di, aodo+aid3+a2d2+a3di] 

RjeduCtio ^ pnlynnmi al: t"^ -f 1 

[a3,a2,ai,ao] * [d3,d2,di»do] = 

aod34aid34a3d2+a2d34^3di4^2di+aid2-^^d3+a3do^^^ 
34^ido'^2d3,aid3+aodo+a2d3+a3d2+a2d2+a3di+a3d3] 

RjBductior > pnlyTinTTii al: t^ + t^-ft^ + t-fl 

[^3,a2,ai,ao] * [d3,d2,di,do3 = 

[a2di+a3do+a3diH^id2"Hiid3+a2d2-+«od3,a3di+a^^^ 
aodi+aid3+aido"Hi3di+a3d3+a2d2, a3d2+aid34aodo+a2d3+a2d2+a3di] 

[0068] It may be noted tbat some of the multiplications of elements in each of 

the solutions are similar for two or more output bits. For example, the expression 
aid3^a2d2^a3dj, appearing tvsdce in the solutions listed above, may be computed only 
once in order to roinimize hardware requirements, e.g,, \ising XOR and AND gates. It 
will be appreciated by those skilled in the art, that the solutions for multiplication of two 
elements in GF(^^) using each of the three quadratic reduction polynomials discussed 
above may be used to construct a GF(2^) multiplier for each of the quadratic reduction 
polynomials. Such multiplier may be implemented in hardware and/or software as is 
known in the art An appropriate GF(2*) multiplier may be constructed for a given 
representation-transformation matrix. Since each representation-transformation matrix 
may be defined by one of the three irreducible reduction polynomials over GF(2^) in 
combination with an extension polynomial, as described above, the 0^(2"*) multipliers 
may be predetermined. It may be ^predated by a person skilled in the art that other 
suitable implementations of GF(2^) multipliers may be used additionally or 
alternatively in accordance with exemplary embodiments of the inventiorL 

[0069] Inversion, denoted INV, and squaring, denoted SQJR^ in GF(2^) may be 
implemented by two respective, relatively small, Look-Up-Tables (LUTs) having a size 
of 8-bytes each, e.g., 16 nibbles. According to some embodiments of the present 
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inveation, coefficient P may be predetexmined. Thus, the value J3xg^ for an 
element^ eGFCl"*) may also be stored in an 8-byte LUT, which may be denoted fiSQR^ 
thereby eliminating one multiplication jfrom the set of computations required for 
computing Equation System 14. According to alternative embodiments, SQR, INV 
and/or fi SQR in GF(2^ ) may be implemented by any suitable circuit, as is known in the 
art For example, an SQR circuit may be implemented by substituting a=d in the 
solutions for multiplication of two elanents, as desaribed above. Thus, the SQR circuits 
may impl^ent the following solutions: 

Reductio n pnlynnTni al: t"* + t + 1 

[a3,a2,ai,ao]^ = [as, ai+aa, a2, ao "HaJ 
Reduction pnly nnmi al: t^ H- 1? 4- 1 
Ia3,a2,ai,ao]^ =[a2-fa3, ai+ as, aa, ao-fa2+a3] 
Reduction polynomial: t'^-H^-ft^-ft-fl 
[a3,a2,ai,aof =[a2, ai+aa, a2+a3, a^&SLzi 

[0070] It may be noted that the circuitry implementation of embodiments of the 
invention, may be more compact than the corresponding LUT implementation- 
However, in some S-box implementations, a LUT may provide more efficient 
processing of the data. 

[0071] According to exemplary embodiments of the invention, the 129* 
representation-transformation matrix, i.e. the matrix having the hexadecimal notation 
M-01, 50, bO, Oc, a3, 8b, d3, d5^ may be selected from the 192 representation-transformation 
matrices listed above. Thus, the corresponding extension reduction polynomials are p(t) 
= f*^ + + + r + 7, and r(t; +.f + 2, tc. p^2. According to this exemplary 
embodiment, the multiplication circuit is 

O'^ood2+ajd3,aodi+ajds+ajdo'¥a3d}+a3d3+a^zct3d2'^ajd3'^aoda+ 

[0072] According to this exemplary embodiment of the invention, the following 
LUTs, listed in hexadecimal notation, may be used to calculate respective values of 
SQR^ fiSQR and/or INV corresponding to an input number, /, between 0 and 1 5 : 
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SQR=0,l,4,5,f;e,b,a^,3,6,7Ac,9.8 (15) 
pSQR^0Ma,lMbA.6,c,e,5,7,dJ 
INV=0,l.f,a,8,6,5A4,7,3,eAc,b,2 

wherein the output of each table may be the Uth entry of the table. Alternatively, SQR, 
PSQR and/or INV may be calculated using the circuit implraientation, as described 
above, e.g. the SOR circuit is provided by [a3,a2,ai,ao]^ =[a2, ai+a2, aj+aa, ao-Htz] 

[0073] Reference is made to FIG. 2, which illustrates a circuit implementation of 

an AES compatible S-box 200 for encrypting/decrypting data, in accordance with some 
exemplary embodiments of the present invention. 

[0074] S-box 200 may be implemented to provide an output sbox[x] or sbox'^fx] 

corresponding to &e block datax accordiug to Equations 8 and 9, as described below. 

[0075] S-box 200 may iaclude an uiput conversion module 221 to receive the 
input data, x, in AES representation, e.g., including 8-bit data, denoted 
[xtx^c^^xjx^jXqJ (xeGF(2^)), and to apply a conversion operator to convert this 
data into data in the GF((2'*)^) representation, as described above. In the decrypt mode of 
operation, conversion module 221 may also apply the decrypt afBne transformation to x, 
as described below. S-box 200 may also include an operation module 230 to process the 
converted data, e.g. by performiug GF(2^ equivalent encryption/decryption operations, 
and to provide processed GF((2^^) data, as described below. S-box 200 may also 
iQclude an output de-conversion module 223, to convert the processed data bade into the 
AES representation, as described below. Module 223 may also apply the encrypt afSne 
transformation to the ou^mt of module 230, as described below. 

[0076] According to these exemplary embodiments, module 221 may include a 
first data input path 202 corresponding to an enoyption mode of operation, i.e., to 
perform the conversion sboxfxj^ as described above. Module 221 may also include a 
second data input path 204 corresponding to a decryption mode of operation, i.e. to 
perform the conversion sbox^[x]. 

[0077] According to exemplary embodiments of the invention, module 221 may 
include encryption conversion circuitry 214, and decryption conversion circuitry 210, 
Circuitry 214 may include an Af^ multipHer adapted to apply a conversion operator to x. 
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e.g,, to implement multiplication of x by M^. Circuitry 210 may be adapted to apply a 
coDYCTsion operator to x, e.g., drcuitry 210 may include a XOR module 216 for 
implementing a XOR operation of x with 6, and an {AMf^ multiplier 218 to implement 
multiplication of the output of module 216 by {AM)'^. Thus, the output of circuitry 214 
may be Af ^x, corresponding to the expression in brackets of Equation 8. The output of 
circuitry 210 may be (AM)'^ (x ® b), corresponding to the expression in brackets of 
Equation 9. 

[0078] According to exemplary embodiments of the invention, module 221 may 
also include a multiplexer 220, which may have two inputs associated with the outputs 
of circuits 214 and 210, respectively. Multiplexer 220 may be used to select between 
these two inputs, such that an ou^ut of multiplexer 220 may include one output of 
converted data 231 correq)onding to the selected input Multiplexer 220 may iaclude 
any suitable circuitry known in the art for selection between two inputs. For example, 
multiplexer 220 may include a control register (not diown). The control register may 
store an indication bit to indicate the required mode of op^ation, e.g., the indication bit 
may equal zero for tibe OTcrypt mode of operation and may equal one for the decrypt 
mode of operation. The output of multiplexer 220 may be selected according to the value 
of the indication bit, as is known in the art The value of the indication bit may be set 
before performing an encryption or a decayption operation on a plurality of data blocks. 
Converted GF((2V) data 231 may include 8 bits carried, for example, by eight parallel 
electric conductors (not shown), as is known in the art The eight conductors may be 
separated into two sets of four conductors, respectively. Thus, the eight bits of converted 
data 231 may be split into two 4-bit data values z^^^^lz^z^z^z^l^ denoted 235, and 

^<!> ^ [^3^2^i^o] i^<m> » ^<!> ^ G^^(2^ )), denoted 231, conespondiog to the values of the 
eight bits of converted data 23 1, as described above. 

[0079] Module 230 may include circuitry, as described below, to process data 
values z<ni> and zo and provide processed data represented by T(xJ^ c^>t+c<i>, as 
described above. The values of c<„p. and c</> may be provided by Equation system 14, 
vAerem z<„,> and z<i> are substituted for a<^> and a<t>, and wberein a=/. 

[0080] According to exemplary embodiments of the invention, operation module 
230 may include operation circuitry for performing AES equivalent operations on 
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coDV^ted dptfl 231» as desmbed above. Tlie operation drcuitry may include a first 8 
bitwise XOR box 232 and a second 8 bitwise XOR box 234. The operation circuitry may 
also include fiiree copies, 236, 238 and 240 of the GF(2^) multiplier, as described 
above. The operation circuitry may also include three circuits/8-byte tables 
implementing INV 242, SQR 244 and PSQR 246, respectively, as described above. 
Circuits/tables 242, 244 and 246 and multipliers 236, 238, and 240 may be 
predetermined according to the selected reduction polynomial, as described above. Thus, 
the respective outputs c<t> cmd c<to>. of multiplies 240 and 238, may equal 
(i</>'+z<Wr^<m>j5+ 2^o+z<i>z<i„>/' WLdz<^>(:^<„,>p^ ^o-t-zoz<„p./^, respectively. 

[008 1 ] The four bit output of multiplier 240 and the four bit ou^ut of multiplier 
238 may be re-combined at the output of module 230 to form one eight-bit data output 
corresponding to the operation, 7*, performed on converted data 23 L Thus, in the 
encryption mode of operation the output of module 230 may include the value of T[M^ 
X x] according to Equation 8. In the decryption mode of operation, the output of module 
230 may iaclude the value of T[(AMf^ ^ (x ® b)J according to Equation 9. The 
ei^t-bit ou^ut of module 230 may be received by module 223. 

[0082] Modxile 223 may include a first data path 272 corresponding to an 

encryption mode of operation, and a second data path 274 corresponding to a decryption 
mode of operation. Module 223 may include euCTyption de-conversion circuitry 285, and 
decryption de-conversion circuitry 282. Circuitry 282 may include an M multiplier 
associated with path 272, Multiplier 282 may be used in the decryption mode to convert 
flie processed GBiQ.^) data back into the AES representation, e.g., to provide 
Mr[(AMX^ X (3c © b)J m accordance with Equation 9/ . Circuitry 285 may include an 
AM multiplier 284 associated with path 274, and a XOR block 286 associated with an 
output of multiplier 284. Multiplier 284 may be used in combination with XOR block 
286 to convert the processed GF((2V) back into the AES representation in the 
encryption mode of operation, e.g., to provide AM x T[M^ x x/ © b, in accordance 
with Equation 8. According to exemplary embodiments of the invention, module 223 
may also include a multiplexer 290, which may have two inputs associated with ou^uts 
of XOR block 286 and multiplier 282, respectively. Multiplier 290 may be used to 
select between these two inputs, such that an output of multiplexer 290 may include one 
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outpiit cozresponding to the mode of operation. Multiplexer 290 may mdude any 
suitable drcuitiy known in the art fer selection between two inputs. For example^ 
multiplexer 290 may indude ciiouitry similar to the circuitry of multiplexer 220, as 
described above. 

[0083] Examples of the operation of S-box 200 are provided below. A fibrst 
example demonstrates encrypting data usiag an AES compliant S-box, in accordance 
with an embodimrat of the present invention. A second example demonstrates 
deoyption of data according to other memplary embodiments. In the examples 
provided, the 129^ representation-transformation matrix fix>m the set of matrices listed 
above is used, and the input data, x, is chosm to have a value of 67. It should be noted 
that the representation-transformation matrix and the input data in these samples have 
been randomly selected for demonstrative purposes only and are not intended to liroit the 
scope of the invention to any particular choice of representation-transformation matrix 
or to any specific input data value. 

{0084] Initially, the input data, in this exemplary embodiment represented by the 
hexadecimal value 67 (71), may be loaded through input path 202. The input data may 
be multiplied by at multiplier 214, resulting in 2e (73). Next, T3 is input to 
multiplexer 220, which is set at the encryption mode. Thus, T3 is then spHt into two 
4-bit values, namely, 77 = 2 and 71S = e. The two 4-bit values are then XORed at XOR 
box 232, yielding 711==716e77 = c. 77is input to fiSQR circuit/table 246 resulting in 
710 =2 -2^ = Multiplier 236 is used to produce 7P==T7 T6 = 2 e = 3, according to 
the multipliers described above. T6 is also input to SQR circuit/table 244 resulting in 
78 = e^ = 9. The values 78, 79 and 710 are XORed at XOR box 234 producing 

712 = 78 © 79 © 710 = 2. 712 is then input to INV circuit/table 242 resulting m 

713 == 712"^ = / Multiplier 238 receives inputs 71 1 and 713, and multiplier 240 receives 
inputs 77 and T13, resulting in TI4 = 777 • Tl 3 =5, and HS = 77 • HB = 1. Next, 715 
and 714 are combined to produce a single 8-bit data value, Le. 716^16. The single 8-bit 
data valueisinputtomultipliCT 284 resulting in 71 8==^ (AM) • 1 6 = c6. Finally, 718 is 
XORed at XOR box 286 witii b produdng 719 = 718 ®b = 85. Multiplexer 258 
chooses 720 - Tl 9 = 85 as the output Thus, The output, sboxfxj, of the S-box is 85. 
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[0085] Provided below is an example of utiliamg the S-box to decrypt the 
(mciypted) output of the S-box descsribed in the previous example. The S-box is initially 
input with the data value 71 = 85. 71 is XORed at box 216 with b resulting in 
72 = 71®b = e6. T2 is multiplied by {AM)^^ at multiplier 218 to produce 
r4 = (./4ilO'^ e6=16. Then, T4 is selected by multiplexer 220 (set to the decryption 
mode) to receive 73. 75 is split into 7T5 = 6 and 77 = 1. The two 4-bit vahxes are then 
XORed at box 232, yielding 71 1 = 76 ® 77 = 7. Next, using circuits/tables fiSQR 246, 
SQR 244 and multiplier 236, values 710 = ^ • 77^-2, 79 = r6 - 77=6, and 718 = 7TS^ = 6 
are calculated The outputs of T8, 79 and 710 are XORed at box 234 resulting in 

712 = 7S® 79© 710=/ 712 is then input to INV table 242 resulting in 

713 = 712"^ = 2. Multiplier 238 has an ii5>ut of 71 1 and 713, and multiplier 240 has an 
input of 77 and 713. The resulting output of multipliers 240 and 238 is 
714=711 ' n3 = e, and 715 = 77*775=2, respectively. Next, 714 and TIS are 
combined to produce a single 8-bit data value 716=2e. 716 is multiplied by M at 
multiplier 582 to produce 717=M • 2e=67. Finally, multiplexer 290 selects the output 
720 = 717 = 67. 

[0086] Reference is made to Fig. 3, which schematically illustrates an operation 
module 330, according to furlher exemplary embodiments of the invention. 
[0087] According to some exemplary embodiments of the invention module 230 
(Fig. 2) of S-box 200 (Fig. 2) may be replaced by module 330 to allow performing the 
AES equivalent operations for a^l. Module 330 may include an alpha multiplier 332 
to multiply value 235 by a. The output of multiplier 332 may be provided as inputs to 
XOR block 232 and multiplier 236, respectively. Thus, the c<«> output of multiplier 238 
and the c<i> output of multiplier 240 may be provided according to Equation set 14, as 
described above. 

[0088] According to some embodiments of the invention there is provided a 
method for determining the representation-transformation matrix from the set of 
representation-transformation. The method may include synthesizing, e.g, by 
constructing and/or simulating, a plurality of circuits, each corresponding to a 
representation-tcansformation matrix from the GF(2^) representation into the GF((2*)^) 
representation, as described above. The method may also include selecting one of the 
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matrices based on piedet^mined optimized criteria, e.g. miziimal circuit area, as 
desOTbed below. 

[0089] According to exemplary embodiments of the invention, each 

representation-transfomiation matrix M of the set of possible 

5 representation-transformation matrices^ e.g. the 192 representation-transformation 
matrices discussed above, may be implemented to provide conversion fix>m the AES 
representation into the GF((2V) representation, as described above. Each 
representation-transformation matdx may be implemented by an appropriate electncal 
circuit, e.g., as desCTibed above, and/or appropriate software process, and may have 

10 different performance characteiistics, as discussed below. Thus, according to 
embodiments of the invention, a represCTtation-transfoxmation matrix may be selected 
from the set of matrices according to any desired criteria, as described below. 

[0090] According to embodiments of the invention, tiie operation parameters 
under which the circuits axe tested may affect the relative results of the circuits. Thus tiie 
15 optimality of a circuit or process may depend on the operation parameters used, as 
described below. Furthermore, the detennination of a circuit or process as being optimal 
may also depend on the odteria used to evaluate the circuits/processes. Thus, different 
circuits/processes may be det^mined to be optimal for different operation parameters 
and/or criteria, as described below. 

20 [0091] According to some exemplary embodiments of the invention, the 
comparison criteria may include the number of gates and/or power consumption required 
by each of the circuits/processes to convert the sample data and to perform the AES 
equivalent operations des^ibed above. According to otiier ^nbodiments of the 
invention, any other desired optimization criteria may be applied. 

25 [0092] According to exemplary embodiments of the invention, a set of circuits, 
e.g. 192 curcuits, corresponding to the 192 possible transformation matrices, 
respectively, may be fabricated, e.g. corresponding to s-box 200 (Fig. 2) described 
above. According to these exemplary embodiments, each one of tiie circuits may be 
synthesized using a DC Shell 2001.08-spl (DC Expert) available fixjm Synopsis. A 

30 target Ubrary TSMC 0.18^ (SAAG-X Artisane) may be used. The synthesis may be 
performed for various timings, e.g., time propagation delays, for example, ranging from 
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12nSec to 6nSec. These paiameters may enable usmg difTermt respective fiequencies, 
e.g., in the range of 66.7MH2 to UlMHz by adding a margm, for example, a 
S-nanosecond margin. According to these exemplary embodiments, the results of the 
method described above may be smnmaiized by the following table: 

Table I 



Timuig (nSec) (Tpd) 


12 


10 


8 


6 


Max. Frequency (Mhz) 


66.7 


76.9 


90.9 


111.1 


Min. Area (p.') for option (#) 


3948 (82) 


4650 (167) 


4726 (167) 


5495 (124) 


Max. Area (fi' ) for option (#) 


4480 (45) 


5704 (62) 


5977(128) 


8236 (128) 


Relative UGsUhAax. % DifEerence 


13 


23 


26 


50 



wherein nmnbers in parCTtheses denote circuits corresponding to the index number of 
the representadon-ttansformadon matrices, as described above. Thus, for example, for 
timing==12, the pr^inimfll area circuit was obtained vfhcxi using matrix No, 82, and the 
10 maximal area circuit was obtained when using matrix No, 45. 

[0093] As may be noted in Table 1, some circuits may appear to be more 

desirable than others in terms of miriimnm area required for implementation, as well as 
in tjsnns of other criteria and/or under certain operation parameters. As may be further 
noted, the performances of each of the circuits may be depraident upon the operation 

15 parameters of the circuit The modification of certain operation parameters may affect 
the individual circuits in a generally similar manner- It should be appreciated, however, 
that some circuits may yield optimal results when operated under certain operation 
parameters, and significantly non-optimal results when the operation parameters are 
changed For example, the area of the circuits may increase with frequency, regardless of 

20 the selected representadon-transformadon matrix; however, for dififerent frequencies, 
difierent circuits may provide optimal results, for example, a different optimal area 
required for implementing the circuits. The differences in performance may be 
contdbutable, at least in part, to different levels of complexity of the AES S-box 
equivalent LUTs and to conq>utalions in the GF((2V)representation of GF(2^) which 

25 xnay differ amongst dififerent circuits and und^ various operation parameters. 
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[0094] Accordmg to some embodimeDts of the invention, some of the circuits 
may be less sensitive to frequency changes and substantially consistently provide bett^ 
results vs^en operated under various operation parameters. For example, circuits 82, 105, 
124 and 128, corresponding to respective equivalent representation-transformation 
matrices, as described above, may provide desirable results under various operation 
parameters. The differences in the performances of the various circuits, as well as iho 
desirability of some of the circuits in a substantially large number of cases, may be 
associated with the use of the three alternatives for ttie INV and SQR circuits/tables and 
the GF(2^) multiplier, as described above. Jn addition, different circuits may dictate 
dijBfermt fiSQR circuits/tables, and the multiplication by M,AM,M^\(AM^^) may also 
differ, as described above. 

[0095] According to further exemplary embodiments of tiie invention, the 
conversion from the GF(2^) representation into the GF((2*)^) representation may be 
performed in stages or recursively, e.g., by applying one or more intemiediate 
conversion operators. For example, operations in the GF(2^ representation vAerein 
s—2u, may be analogous to operations in a GF(2^^ representation- The operations in the 
GF(2^") representation may be performed in a GF((2V) representation. Thus, an 
intermediate conversion operator may be applied to convert data in the GF(C2^^) 
representation into corresponding data in the GF((2")^) representation. If desired, a 
second intOTnediate conversion operator may be applied to convert the data in the 
GF(2") representation into corresponding data in a GF((2^)^) r^resentation, wherein 
M=2v, and so on Thus, operations in a GF(2^''), wherein q is odd, may be performed 
using operations in a GFCC .C((2'0^)^).-0^ ) representation, by using operations in GF(2*^). 
The conversion from one GF r^resentation to another GF representation, e.g., having 
half the size, may be designed according to efSciency criteria, e.g., circuitry and/or 
power ef&ciency, of specific implementations. 

[0096] It will be appreciated by persons skilled in the art that the present 
invention is not limited to the exen^lary embodiments of the invention shown and 
described herein witii reference to the accompanying drawings. While certain features of 
the invention have been illustrated and described, many modifications, substitutions, 
changes, and equivalents may occur to those skilled in the art It is, therefore, to be 
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\indra:stood that the appended claims are intended to cover all siich modificotiosis and 
changes as &11 within the true spirit of the inventioiL 
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